[Unit]
Description=Muscl MySQL admin tool
Requires=muscl.socket
After=mysql.service mariadb.service

[Service]
Type=notify
ExecStart=/usr/bin/muscl server --systemd --disable-landlock socket-activate
ExecReload=/usr/bin/kill -HUP $MAINPID

WatchdogSec=15

# Although this is a multi-instance unit, the constant `User` field is needed
# for authentication via mysql's auth_socket plugin to work.
User=muscl
Group=muscl
DynamicUser=yes

ConfigurationDirectory=muscl

ImportCredential=muscl_mysql_password

# This is required to read unix user/group details.
PrivateUsers=false

# Needed to communicate with MySQL.
PrivateNetwork=false
PrivateIPC=false

AmbientCapabilities=
CapabilityBoundingSet=
DeviceAllow=
DevicePolicy=closed
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateMounts=true
PrivateTmp=yes
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=strict
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SocketBindDeny=any
SystemCallArchitectures=native

SystemCallFilter=@system-service
# This is needed for landlock
# SystemCallFilter=@sandbox
SystemCallFilter=~@privileged @resources

UMask=0777